http://www.w3.org/DesignIssues/Security-NotTheS.html
Just a quick note the global root is about to be extended to capture all web and ssh traffic.
With the System D in-fighting it is going to be forked. If it has a backdoor the % of unix systems capture with the current firmware backdoors will increase a sizable amount.
TLS
With TLS added to OpenSSH to capture more SSH traffic, it is being pushed to capture more SSH traffic.
It is now being pushed as HTTPS/3 and HTTPS Is disappearing
- https will be eradicated
- https:// will load TLS (see link above)
- consumers will think its secure when they see https:// and the logo
- one site will possibley be hacked and then http will be so thoroughly slandered everyone will demand tls
- getting the public to switch back to https will be impossible
The benefit of this is, if it is breakable or backdoored, not only will they get the new tls traffic but all the old https traffic also--- and now the openssh traffic too.
Why not offer https:// and tls://?
Every mandatory https movement or group was completely stalled or infiltrated for the last 10 years
The way it was added to openssh... They merged it like 1 day after openssl 1.0 was released, and insta released a 1.01 with basically only TLS. and the whole thing crumbled within a day. the patch was submitted and then code reviewed by the same guy.
TLS implementation has already had 2 serious show-stopping bugs if i remember. and heartbleed on top of that.
admittedly theres not much proof anywhere.. and I was off the internet in 2012 but from what i remember the story is this:
- I dont really remember anyone saying we need tls
- I do remember ppl saying we need all sites to use https and maybe https 3 -- but all the projects were met with
mysterious hurdles and people refusing to cooperate
- (this is similar to how all black rights and human rights movements were stopped in the last 100 years)
- I dont really remember any outcry of happyness tls was coming along
- I dont know who made it or what their background is and why they are legit
- Specifically I think it was made by two young kids, and I wouldnt be suprised if they are AT&T employees.
- etc
- (this can be argued in a small timewindow view of tls, but based on a view of 15 years of HTTPS is my opinion)
Arguably the w3c knows what its doing to HTML, but should we follow? HTML is still a piece of crap after 20 years. (Google "How to Center text CSS", 27,100,000 results)
Before we do this we should understand how ****ing hard it is gonna be to setup a MeshNet...
Already posted this on HN and got down-voted into oblivion.
tbh i would rather just enc the html files with pgeep and call it done.
Summary:
Prepare for:
ALL web sites to serve TLS only, no HTTPS anymore, TLS will be used under HTTPS:// urls
ALL SSH clients to have TLS handshake code
new SystemD forks showing up in distros
OpenSSH developed by 50+ people from 30 different countries